WCF SECURITY

Windows Communication
Foundation (WCF) is a secure, reliable and scalable messaging platform.
With WCF, SOAP message can be transmitted
over a variety of supported protocols, including named pipes, TCP, HTTP and MSMQ. Like any distributed messaging platform, you must establish
security policies for protecting messages and for authenticating and authorizing
calls.

1.Types of Authentication

2.Transfer security Mode

3.Transport Security protection level

4.Message Security Level

Types of Authentication

WCF Authentication is basically referred to the verification
of the caller who claims of the call the service. Verification of caller will
be referring as service authentication.

No authentication:

Service does not authenticate its caller and it will allow
clients to access.

Window
authentication:

Window authentication is the most suitable authentication
type in intranet where client credentials are stored in window accounts and
groups. In this mode caller provides windows credential tickets/token to the
service authentication.

Window credential is default credential type.

UserName /Password:

Explicit username and password is provided to authenticate
the service.

Issue token

The caller and the service can both rely on a secure token
service to issue the client a token that service identify and trust.

Custom mechanism:

WCF allows developers to replace the build-in authentication
mechanism by providing user own protocol and credential type for
authentication.

Transfer security Mode:

WCF offers the following transfer security modes:

Message Security mode:

In this mode of configuration, message will get encrypted.
Encrypting the message rather than transport enables the services to
communicate securely over non secure transport such as HTTP. It provides end to
end security.

It is mainly used in internet application.

Transport security
mode:

When system is configured with ‘Transport’ mode, WCF uses
secured communication protocol. The available secure transports are HTTP, TCP,
IPC and MSMQ. Transport security encrypts all communication on the channel and
provides integrity, privacy and mutual authentication. It provides point to
point security.

Mixed transfer
security mode:

It use transport security for message integrity, privacy and
service authentication and its uses message security for securing client
credential.

Both security mode:

This mode both transfer security mode uses both transport
security and Message security. So message is secured using Message security and
then it is transferred to the service using secure transport.

Transport Security protection level

In WCF, transport security depends
on the binding and subsequent transport being used. Each protocol (TCP, HTTP,
MSMQ, NamePipes) has its own mechanism for passing credentials and handling
message protection.